-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Aruba Wireless Networks Security Advisory Title: Risk of multiple Denial of Service attacks using modified ICMP packets Aruba Advisory ID: AID-041905 Revision: 1.0 For Public Release on 04/15/2005 at 11:00 (GMT) References: (IETF) Internet Draft entitled "ICMP Attacks Against TCP" - ------------------------------------------------------------------------------ SUMMARY The Internet Engineering Task Force has made available to the public a document that describes how to use the Internet Control Message protocol to perform multiple Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP), using modified ICMP packets. The types of attacks described on this IETF document, which affect sessions originating or terminating on a device itself, can be one of the following three types: 1) Attacks using ICMP "hard" error messages 2) Attacks using ICMP "fragmentation needed/ Don't Fragment bit set" messages (aka Path Maximum Transmission Unit Discovery attacks) 3) Attacks using ICMP "source quench" messages The results of a successfull attacks are usually, throughput degradation and connection resets. PRODUCTS AND FIRMWARE VERSIONS AFFECTED Hardware: None of the Aruba Wireless Networks devices are affected Software: Aruba OS versions prior to 2.0.0.0 might be affected DETAILS The attacks described on the IETF document intend to cause different problems on networking devices. Although it is not proven that Aruba using version lower than 2.0.0.0 are affected, it is highly recommended to have the switches upgraded to version 2.0.0.0 and higher. ICMP (Internet Control Message Protocol) packets may be used to report error conditions and also to provide connection information/ debugging. In regards to the error conditions, ICMP messages can be generated by any networking devices participating in a connection, either being any of the end systems, or intermediary systems, like switches and routers. The behavior on the devices upon receiving the ICMP error notifications, might differ, depending on the type of error message received. RFC 1122 defines two types of ICMP errors, "soft" and "hard" errors. Soft errors usually cause retransmitions, while hard errors might cause sessions between two end-points to drop. Hard ICMP Error Messages Attacks This type of attack intends to cause a session between two end-points to be aborted, generating a spoofed ICMP error message to one of these end-points. Fragmentation Attacks With this attack, ICMP messages will be used to set the Path MTU between two end- points to a very low value. The result of this will possibly be the degradation of the throughput of the connection, possibly even causing session drops on the higher layer protocols in the TCP/IP stack. Still on the fragmentation topic, if the attacker sets the "Don't Fragment" bit and send spoofed packets to, again, any of the end-points, the connection will probably drop. Source Quench ICMP Messages Attacks This attack is intended to mostly cause throughput degradation, since the "source quench" message is usually implemented to cause the device receiving this message to start a congestion avoidance algorithm. This algorithm varies from application to application, as well from protocol to protocol. IMPACT Aruba switches are not affected by the attacks named "Hard ICMP Error Message Attacks" and "Source Quench ICMP Messages Attacks" since there are specific mechanisms to keep track of the sessions used by the device. In regards to the attack named as "Fragmentation Attacks", many protocols used by the industry are target of these attacks. Such protocols, like GRE, PPTP, IPIP and IPSec, can be configured on the Aruba products, but are not affected by the attacks described on the IEFT draft. WORKAROUNDS There is no need for a specific workaround to be implemented. SOLUTION Make sure the switch is running version to 2.0.0.0 or higher. OBTAINING FIXED FIRMWARES Aruba customers can obtain the firmware on the support website. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com web: http://www.arubanetworks.com/support Please, do not contact either ?wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at http://www.arubanetworks.com/support/wsirt/alerts/aid-04192005.asc STATUS OF THIS NOTICE: Final Although Aruba Wireless networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Wireless Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aruba Wireless Networks may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. DISTRIBUTION OF THIS ANNOUCEMENT This advisory will be posted on Aruba's website at http://www.arubanetworks.com/support/wsirt/alerts/aid-04192005.asc Future updates of this advisory, if any, will be placed on Aruba's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. REVISION HISTORY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGeFlZp6KijA4qefURAp4bAJ91ooYzKel8FxO6AVXFJusdPydYpQCgja89 rjau2MW44hzbh5AtXSQSycc= =DbR6 -----END PGP SIGNATURE-----